Difference between revisions of "Privacy: Legal European Framework"

Data Protection related European legislation and initiatives

with some accents on RFID

• European Convention for Human Rights (ECHR), 1953:
  • Art 8: right to private life
  • by Lisbon Treaty: EU is now also member of it, not only the MS (Member States).
• OECD Organization for Economic Cooperation & Development published in 1980:
  • Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data
• The Council of Europe Convention for the protection of individuals with regard to automatic processing of personal data (Convention 108), 1981
• Data Protection Directive (95/46/EC) & Regulation (EC) Nr. 45/2001 (~same as directive but for EU bodies)
• ePrivacy Directive (2002/58/EC)
  • replaces 97/66/EC
  • amended by 2009/136/EC, see below
• Data Retention Directive (2006/24/EC)
  • MS can choose mandatory retention between 6 to 24 months
  • to be implemented by 15/9/2007 (internet 15/3/2009) but still some MS fail
  • Romania constitutional court declared it unconstitutional (8/10/2009) <> privacy rights & secrecy of correspondence
• Framework decision 2008/977/JHA of the Council
  • data protection for police & judicial cooperation in criminal matters (only cross-border)
  • former third pillar
• 31st annual International conference of data protection and privacy commissioners
  • The Madrid Privacy Declaration, 3 November 2009, by Civil Society
    • Urges for a data breach legal framework
    • Recommends research on PETs (Privacy Enhancing Technique) such as anonymization
    • Calls for moratorium on development of new systems of mass surveillance such as facial recognition, whole body scanners, biometric identifiers and embedded RFID tags
  • The Madrid Resolution, 5 November 2009
    • Joint proposal for a draft of international standards on the protection of privacy with regards to the processing of personal data
    • Largely similar to main principles & rights of 95/46/EC + accountability principle
• Directive 2009/136/EC, 25 November 2009, to be transposed before May 2011
  • modifying among others the ePrivacy directive 2002/58/EC
    • urges for a data breach principle regardless of the sector, or the type, of data concerned (recital 59)
    • mentions the directive is applicable also to RFID when such devices are connected to publicly available electronic communications networks or make use of electronic communication services as a basic infrastructure (recital 56)
  • personal data breach notification principle
    • if in connection with the provision of publicly available electronic communications service)
    • covers also accidental destruction/loss/deterioration, not only unauthorized disclosure/access
    • obligation without undue delay, to DPA, and to subjects if likely to adversely affect the personal data or privacy of a subject, unless security measures were properly implemented (=encryption)
  • spam
• Treaty of Lisbon, entered into force on 1 december 2009
  • Article 16 of the TFEU (Treaty on the Functioning of the European Union)
    • Everyone has the right to the protection of personal data concerning him
    • covers also justice/policy & EU bodies, only provisions are in Art 39 of the TEU (Treaty on the European Union): concerning CFSP (Common Foreign & Security Policy)
    • was Art 286 in the former Treaty establishing the European Community
  • Charter of Fundamental Rights of the European Union becomes binding (opt-out UK & Poland)
  • Art 8 on protection of personal data
    • Everyone has the right to the protection of personal data concerning him
    • fairly, for specified purposes, on basis of consent or some legitimate basis
    • right of access, right of rectification
    • control by authority
• Stockolm Program
  • sets framework 2010-2014 for cooperation in the area of justice & home affairs
  • data protection principles are present
• New Commission
  • now 2 commissioners for the former justice, freedom and security post:
    • justice freedom & citizenship (Viviane Reding)
    • foreign affairs & security (Catherine Ashton)
  • Commission consultation on 95/46/EC
    • general principles are still valid but we need clarification on consent, transparency and introduction of data breach & accountability principles

Data Protection related bodies

• European Data Protection Supervisor
• Commission's Justice & Home Affairs / Freedom, Security & Justice / Data Protection, includes a link to the national DPA
• Art. 29 Data Protection Working Party

RFID-related

• Art. 29 WP105 (19/01/2005) Working document on data protection issues related to RFID technology (pdf)
• Art. 29 WP111 (28/9/2005) Results of the Public Consultation on Article 29 Working Document 105 on Data Protection Issues Related to RFID Technology (pdf)
  • While consumers, security industry and universities all agree on the need for a kill command for consumer products at the exit of the shop, retailers and standard bodies for retailers strongly disagree
• 2006 public consultation of the Commission on RFID
• 2006 Study initiated by the European Parliament: RFID and Identity management in everyday life (pdf)
• Council Resolution of 22 March 2007 on a strategy for a secure Information society in Europe
• Commission decision 28 June 2007 setting up the Expert Group on Radio Frequency Identification (decision No 467/2007/EC) aka RFID-Stakeholders Group
• COM(2007)96 (15/3/2007) Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Radio Frequency Identification (RFID) in Europe: steps towards a policy framework (pdf), see also here
  • call for privacy by design, code of conduct, guidelines
  • towards Internet of Things & related databases
• Opinion of EDPS, December 2007, on above communication
  • 5 basic privacy and security issues
    • identification of the Data Subject as a risk (and problem of definition of personal data)
    • identification of the Data Controller(s) can be hard but needed to establish responsibilities
    • decreased meaning of the traditional distinction between the personal and public sphere
    • size and physical properties of RFID-tags
    • lack of transparency of the processing
  • self-regulation at first but need for guidance
  • opt-in principle, considered as already existing in the 95/46/EC but should be specified in self-regulatory instruments too
  • privacy by design
• COM(2008)594 (29/9/2008) Communication from the Commission Communication on future networks and the internet (pdf)
• 2009/387/EC Commission Recommendation of 12 May 2009 on the implementation of privacy and data protection principles in applications supported by radio-frequency identification (pdf)
• COM(2009)278 (18/6/2009) Communication from the Commission Internet of Things — An action plan for Europe (pdf)
  • invites MS to provide framework for privacy and data protection impact assessments to Art.29 WP within 12 months
  • creation of an RFID logo, mandatory for tags & readers
  • opt-in principle unless
    • evaluated as not a likely threat
    • retailers which are not operators (!! so opt-in drops if retailer is not equipped)
  • MS invited to take measures within 25 months, Commission will publish an evaluation of the implementation in three years

See also

• RFID page of European Commission / Information Society
  • its RFID news channel
• The Global RFID Interoperability Forum for Standards (GRIFS) is a Support Action Project funded by the European Commission with the aim to improve collaboration and thereby to maximise the global interoperability of RFID standards.
• Protecting privacy in the digital age (pdf), by Viviane Reding
• German Federal Office for Information Security (BSI) technical guidelines for RFID, covering eTicketing in public transports, in events, via NFC and RFID for trade logistics